USAA Mobile App Information Disclosure

2015-01-23T00:00:00
ID PACKETSTORM:130067
Type packetstorm
Reporter David Longenecker
Modified 2015-01-23T00:00:00

Description

                                        
                                            `The USAA Mobile app for Android, prior to version 7.10.1 (released 19  
January), contains an information disclosure vulnerability. I have  
submitted a CVE-Assign request for this issue but do not yet have a CVE  
assigned. The issue is demonstrated with sanitized screen captures at  
http://dnlongen.blogspot.com/CVE-2015-USAA  
  
By design, the USAA Mobile app for Android allows users to select whether  
to log out immediately upon task-switching (i.e. being interrupted by a  
phone call or notification), or to stay logged in for up to 20 minutes.  
  
When "Stay logged in" is enabled however, versions prior to 7.10.1 display  
the last-viewed screen *before* prompting the user to log back in. If that  
last screen contained sensitive information, such as account numbers and  
balances, it becomes possible for one to obtain this information without  
authorization. Whether it were 20 minutes later, or a week later, launching  
the USAA mobile app would show personal information briefly before blanking  
the screen and prompting for a password or PIN.  
  
I would not consider this a severe risk. It cannot be exploited by a remote  
attacker - it requires physical access to the mobile device. It also  
requires that the attacker is able to log in to the Android device, or that  
the device lacks a password-protected lockscreen. I have not found it  
possible to take any action without authenticating - the screen is shown  
for perhaps a second or two before a login prompt appears. Nonetheless, it  
is an unauthenticated information disclosure issue with the app.  
  
With the 7.10.1 version, instead of seeing a screen full of personal  
information, the app opens to a benign menu that has no personal  
information. Upon choosing a menu option that would show private data, the  
user is prompted to log in before any data is shown.  
  
--   
  
Regards,  
David Longenecker  
@dnlongen  
  
  
`